Bugzilla – Bug 1060176
VUL-0: CVE-2017-14682: ImageMagick: GetNextToken in MagickCore/token.c heap buffer overflow could lead to denial of service
Last modified: 2017-12-22 23:38:25 UTC
CVE-2017-14682 GetNextToken in MagickCore/token.c in ImageMagick 7.0.6 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted SVG document, a different vulnerability than CVE-2017-10928. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14682 http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-14682.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14682 https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=32726 https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=32726
heap write overflow. needs fix.
https://github.com/ImageMagick/ImageMagick/commit/3bee958ee63eb6ec62834d0c7b28b4b6835e6a00
I do not get any valgrind error anywhere.
42.3/GraphicsMagick code in utility.c: if ((LocaleNCompare(token,"url(#",5) == 0) && ((r = strrchr(token,')')) != NULL)) { *r='\0'; (void) memmove(token,token+5,r-token+1); } In my opinion not affected. Similarly to 11/GraphicsMagick and 11/ImageMagick. Only 12/ImageMagick seem to be affected. However, gdb does not stop inside the offended if block for this testcase. But I guess the check is worth to add.
(In reply to Petr Gajdos from comment #4) > 42.3/GraphicsMagick code in utility.c: > > if ((LocaleNCompare(token,"url(#",5) == 0) && > ((r = strrchr(token,')')) != NULL)) > { > *r='\0'; > (void) memmove(token,token+5,r-token+1); > } Although .. the code does not be correct as well. memmove() copies too much if I understand correctly. I will notify GraphicsMagick upstream.
Will submit for: 12/ImageMagick, 42.3/GraphicsMagick and 42.2/GraphicsMagick(In reply to Petr Gajdos from comment #5) > (In reply to Petr Gajdos from comment #4) > > 42.3/GraphicsMagick code in utility.c: > > > > if ((LocaleNCompare(token,"url(#",5) == 0) && > > ((r = strrchr(token,')')) != NULL)) > > { > > *r='\0'; > > (void) memmove(token,token+5,r-token+1); > > } > > Although .. the code does not be correct as well. memmove() copies too much > if I understand correctly. I will notify GraphicsMagick upstream. Well, probably not worth the effort .. null char injected .. few bytes read potentially past allocated memory.
Summary: 12/ImageMagick affected.
I believe all fixed.
SUSE-SU-2017:3388-1: An update that solves 32 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1048457,1049796,1050083,1050116,1050139,1050632,1051441,1051847,1052450,1052553,1052689,1052744,1052758,1052764,1054757,1055214,1056432,1057157,1057719,1057729,1057730,1058485,1058637,1059666,1059778,1060176,1060577,1061254,1062750,1066003,1067181,1067184,1067409 CVE References: CVE-2017-11188,CVE-2017-11478,CVE-2017-11523,CVE-2017-11527,CVE-2017-11535,CVE-2017-11640,CVE-2017-11752,CVE-2017-12140,CVE-2017-12435,CVE-2017-12587,CVE-2017-12644,CVE-2017-12662,CVE-2017-12669,CVE-2017-12983,CVE-2017-13134,CVE-2017-13769,CVE-2017-14138,CVE-2017-14172,CVE-2017-14173,CVE-2017-14175,CVE-2017-14341,CVE-2017-14342,CVE-2017-14531,CVE-2017-14607,CVE-2017-14682,CVE-2017-14733,CVE-2017-14989,CVE-2017-15217,CVE-2017-15930,CVE-2017-16545,CVE-2017-16546,CVE-2017-16669 Sources used: SUSE Linux Enterprise Workstation Extension 12-SP3 (src): ImageMagick-6.8.8.1-71.17.1 SUSE Linux Enterprise Workstation Extension 12-SP2 (src): ImageMagick-6.8.8.1-71.17.1 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): ImageMagick-6.8.8.1-71.17.1 SUSE Linux Enterprise Software Development Kit 12-SP2 (src): ImageMagick-6.8.8.1-71.17.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): ImageMagick-6.8.8.1-71.17.1 SUSE Linux Enterprise Server 12-SP3 (src): ImageMagick-6.8.8.1-71.17.1 SUSE Linux Enterprise Server 12-SP2 (src): ImageMagick-6.8.8.1-71.17.1 SUSE Linux Enterprise Desktop 12-SP3 (src): ImageMagick-6.8.8.1-71.17.1 SUSE Linux Enterprise Desktop 12-SP2 (src): ImageMagick-6.8.8.1-71.17.1
done
openSUSE-SU-2017:3420-1: An update that solves 32 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1048457,1049796,1050083,1050116,1050139,1050632,1051441,1051847,1052450,1052553,1052689,1052744,1052758,1052764,1054757,1055214,1056432,1057157,1057719,1057729,1057730,1058485,1058637,1059666,1059778,1060176,1060577,1061254,1062750,1066003,1067181,1067184,1067409 CVE References: CVE-2017-11188,CVE-2017-11478,CVE-2017-11523,CVE-2017-11527,CVE-2017-11535,CVE-2017-11640,CVE-2017-11752,CVE-2017-12140,CVE-2017-12435,CVE-2017-12587,CVE-2017-12644,CVE-2017-12662,CVE-2017-12669,CVE-2017-12983,CVE-2017-13134,CVE-2017-13769,CVE-2017-14138,CVE-2017-14172,CVE-2017-14173,CVE-2017-14175,CVE-2017-14341,CVE-2017-14342,CVE-2017-14531,CVE-2017-14607,CVE-2017-14682,CVE-2017-14733,CVE-2017-14989,CVE-2017-15217,CVE-2017-15930,CVE-2017-16545,CVE-2017-16546,CVE-2017-16669 Sources used: openSUSE Leap 42.3 (src): ImageMagick-6.8.8.1-40.1 openSUSE Leap 42.2 (src): ImageMagick-6.8.8.1-30.12.1